|Publication number||US7930551 B2|
|Application number||US 11/748,953|
|Publication date||Apr 19, 2011|
|Filing date||May 15, 2007|
|Priority date||May 15, 2006|
|Also published as||US20070291933|
|Publication number||11748953, 748953, US 7930551 B2, US 7930551B2, US-B2-7930551, US7930551 B2, US7930551B2|
|Inventors||David Reginald Evans|
|Original Assignee||Arris Group, Inc.|
|Export Citation||BiBTeX, EndNote, RefMan|
|Patent Citations (5), Non-Patent Citations (5), Classifications (9), Legal Events (5)|
|External Links: USPTO, USPTO Assignment, Espacenet|
This application claims the benefit of priority under 35 U.S.C. 119(e) to Evans, et al., U.S. Provisional Patent Application No. 60/800,578 entitled “Fast MMH-MAC calculation by re-use of MMH function,” which was filed May 15, 2006,and is incorporated herein by reference in its entirety.
This invention relates, generally, to communication networks and, more particularly, to performing message transmission security in a communication network.
One method of securing a message transmitted between two devices is to use a one time pad. Both devices have a copy of the one time pad value and use it to calculate the output of a function, typically a hash function, based on message and the one time pad value. The results of the hash function may be referred to as a Message Authentication Codes (“MAC”). When the receiving device receives the message along with the MAC calculated at the transmitting device, it calculates the same hash function for the received message and its stored copy of the one time pad. If the hash function output calculated at the receiving device is the same as the MAC received from the transmitting device, then the receiving device determines that the message was not altered after it was transmitted from the transmitting device.
While using a one-time pad results in secure transmission of the message, the one-time pad is not reused. Thus, new one-time pad values must be generated and distributed to the transmitting device and the receiving device. This can consume processor resources as well as band width resources between transmitting devices and receiving devices. Thus, there is a need in the art for a method for determining a MAC that does not rely on a one-time pad value.
As a preliminary matter, it will be readily understood by those persons skilled in the art that the present invention is susceptible of broad utility and application. Many methods, embodiments and adaptations of the present invention other than those herein described, as well as many variations, modifications, and equivalent arrangements, will be apparent from or reasonably suggested by the present invention and the following description thereof, without departing from the substance or scope of the present invention.
Accordingly, while the present invention has been described herein in detail in relation to preferred embodiments, it is to be understood that this disclosure is only illustrative and exemplary of the present invention and is made merely for the purposes of providing a full and enabling disclosure of the invention. The following disclosure is not intended nor is to be construed to limit the present invention or otherwise to exclude any such other embodiments, adaptations variations, modifications and equivalent arrangements, the present invention being limited only by the claims appended hereto and the equivalents thereof.
Turning now to the figure,
It will be appreciated that although the sharing of the secret is represented by a step having a higher reference number than the reference number for the receiving of the message to be transmitted, the sharing of the secret can occur at anytime in reference to the receiving of the message to be transmitted. In some scenarios, for example, the use of a cable modem (“CM”) and a cable modem termination system (“CMTS”) as know in the art of Data Over Cable Service Interface Specifications (“DOCSIS”), the secret may be shared at the time the devices are manufactured, or at the time a given cable CM or a given CMTS module is placed into service in a hybrid fiber coaxial cable system, for example. In addition, it will be appreciated that in some scenarios, the sharing of the secret may occur periodically, which period may vary according to system design, including monthly, weekly, daily, hourly, or even more or less frequently.
At step 120, the secret (“S”) is divided into a first secret portion (“S1”) and a second secret portion (“S2”). As discussed above, the splitting of S into S1 and S2 can occur at any time. Furthermore, each transmitting and receiving device can perform the splitting operation based on the same splitting algorithm, or one or the other of the receiving or transmitting devices can perform the splitting function and then transmit S1 and S2 to the other device.
At step 125, the output of a public function F(x) is computed for S1. It will be appreciated that the public function if preferably the function F( ) described in section 11.8 of DOCSIS 3.0 Security Specification CM-SP-SECv3.0-I03-070223, as published by CableLabs, Inc., which document is referred to herein as the “Security Specification” and is incorporated herein by reference in its entirety. It will be appreciated that other functions may be used as desired in other implementations of method 100, and that the description of the function F below is given as an example of a public function that can be used in method 100.
From the Security Specification:
Thus, the output of F(S1) is based on the shared secret and the seed, as described in the Security Specification. In an example, S=S1 for the generation of the output of F(x) at step 125. The output of F(x) is computed at step 125 for a predetermined number, or length, of information units. Preferably, the information units are octets; an octet is known in the art to be eight bits. Furthermore, for example, according to the Security Specification, sixteen octets comprise the desired output block length for a MAC. Other values may be used for the output block length, according to the needs of the user of the system. For purposes of discussion, the desired number of octets in a MAC is represented by L herein. At step 125, the calculation of F(S1, seed) generates a keystream output of octets. The number of octets in the keystream is determined to that the length of the keystream is sufficient for the one-way function to operate on the message M that is to be protected. The message M to be protected may be padded with null bits so that its size is a multiple of the word size used by the one-way function. For example, the Security Specification states that word size is two octets, or sixteen bits. If the keystream generated step 125 is greater than necessary for the one-way function to operate on M, whether null padding is used or not, then the keystream is truncated to the necessary length.
At step 130, a first output of a one-way function is calculated. An example of a one-way function that may be performed at step 130 is a hash function. An example of such a hash function is a Multilinear Modular Hash (“MMH”) function, as described in the Security Specification. At step 135, each L octets of the first output of the one-way function are summed into summation value (“A”). The summation value A and the second secret portion S2 are concatenated at step 140 into a concatenated value.
At step 145, the first L octets of F(x) are calculated based on the concatenated value. Thus, for example, the first L octets of the output of F(A+S2, seed) are generated at step 145. At step 150 a second output of the one-way function is calculated based on F(A+S2, seed) calculated in step 145. The result of the calculation of the one-way function at step 150 is used as the MAC. Thus, calculation of the MMH function at step 150 uses the output of F(A+S2, seed) determined at step 145 and is used as a substitute for a one-time pad. However, the calculation of the MMH function to generate a MAC using the public function F(x) results in faster generation of the MAC because a one-time pad does not have to be determined and distributed to the transmitting and receiving device before secure transmission of a message takes place. Only the secret is shared, and the same secret can, and typically is, used over and over again for a period of time.
After the MAC has been generated at step 150, M is transmitted to the receiving device, along with the MAC at step 155. When the receiving device receives the message M and the MAC it performs the same steps 125 through 150 with respect to the message. If the MAC that the receiving device calculates is the same as the MAC received along with the message from the transmitting device, then the receiving device determines that M has not been altered from the time it was transmitted from the transmitting device. If the MAC messages do not match, the receiving device may request that the transmitting device re-transmit the message or perform other actions based on knowledge that the received message does not match the transmitted message. Method 100 ends at step 160.
These and many other objects and advantages will be readily apparent to one skilled in the art from the foregoing specification when read in conjunction with the appended drawings. It is to be understood that the embodiments herein illustrated are examples only, and that the scope of the invention is to be defined solely by the claims when accorded a full range of equivalents.
|Cited Patent||Filing date||Publication date||Applicant||Title|
|US20020110239 *||Jun 9, 1999||Aug 15, 2002||Ramarathnam Venkatesan||Technique for producing a parameter, such as a checksum, through a primitive that uses elementary register operations|
|US20040131180 *||Nov 4, 2002||Jul 8, 2004||Gadi Mazuz||Cipher implementation|
|US20040252836 *||Feb 26, 2004||Dec 16, 2004||Hirotaka Yoshida||Message-authenticated encryption apparatus or decryption apparatus for common-key cipher|
|US20080112561 *||Nov 12, 2007||May 15, 2008||Kim Woo Hwan||Method of generating message authentication code using stream cipher and authentication/encryption and authentication/decryption methods using stream cipher|
|EP1133099A2 *||Feb 16, 2001||Sep 12, 2001||Hitachi, Ltd.||Method and apparatus for symmetric-key encryption|
|1||*||Atici et al., "Universal Hashing and Multiple Authentication", 1996, Advances in Cryptology-CRYPTO '96, pp. 16-30.|
|2||*||Atici et al., "Universal Hashing and Multiple Authentication", 1996, Advances in Cryptology—CRYPTO '96, pp. 16-30.|
|3||*||Black et al., "UMAC: Fast and Secure Message Authentication", Aug. 4, 1999, Advances in Cryptology, CRYPTO '99, pp. 1-27.|
|4||DOCS1S 3.0 Security Specification CM-SP-SECv3.0-103-070223. Feb. 23, 2007. Section 11, pp. 87-94. Cable Television Laboratories, Inc.|
|5||*||Halevi et al., "MMH: Software Message Authentication in the Gbit/second Rates", Mar. 1997, Proceedings of the 4th Workship on Fast Software Encryption, LNCS vol. 1267, Springer, 1997. pp. 172-189.|
|U.S. Classification||713/181, 380/28, 713/168|
|Cooperative Classification||H04L2209/20, H04L9/0643, H04L9/0662|
|European Classification||H04L9/06F, H04L9/06M2B|
|Aug 15, 2007||AS||Assignment|
Owner name: ARRIS GROUP, INC., GEORGIA
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:EVANS, DAVID REGINALD;REEL/FRAME:019701/0340
Effective date: 20070809
|Apr 16, 2013||AS||Assignment|
Owner name: ARRIS ENTERPRISES, INC., GEORGIA
Free format text: MERGER;ASSIGNOR:ARRIS GROUP, INC.;REEL/FRAME:030223/0244
Effective date: 20130416
|May 28, 2013||AS||Assignment|
Owner name: BANK OF AMERICA, N.A., AS ADMINISTRATIVE AGENT, IL
Free format text: SECURITY AGREEMENT;ASSIGNORS:ARRIS GROUP, INC.;ARRIS ENTERPRISES, INC.;ARRIS SOLUTIONS, INC.;AND OTHERS;REEL/FRAME:030498/0023
Effective date: 20130417
|Oct 20, 2014||FPAY||Fee payment|
Year of fee payment: 4
|Mar 14, 2017||AS||Assignment|
Owner name: ARRIS ENTERPRISES LLC, PENNSYLVANIA
Free format text: CHANGE OF NAME;ASSIGNOR:ARRIS ENTERPRISES INC;REEL/FRAME:041995/0031
Effective date: 20151231